Thu, Feb 26, 2009
Vulnerabilities in Acrobat, Excel
Two security vulnerabilities in widely used packages have been discovered,
one in some versions of Microsoft Excel, and another in Adobe Acrobat
(including Acrobat Reader). An attacker could create a specially crafted
Excel or PDF document, propagate it by email or by the web, which, when
opened on a particular computer, would automatically run commands specified
by the attacker. Both these vulnerabilities are currently being exploited.
The Microsoft Office Excel flaw is found in Excel 2000, 2002, 2003, and 2004, including Excel Viewer, on both the Mac and Windows versions. It is not present in Excel 2007 or 2008. It is fixed in Office 2003 service pack 3. For more information, see http://www.microsoft.com/technet/security/advisory/968272.mspx.
The Adobe Acrobat flaw is found in all versions of Acrobat and Acrobat Reader, on all platforms (Windows, Mac, Linux, BSD, etc.) Adobe has not issued any patches for this yet. For more information, see http://www.adobe.com/support/security/advisories/apsa09-01.html.
When a security vulnerability in a software program like Excel or Acrobat is discovered, it is being exploited, and no patch is available, it is important to use extra caution when receiving documents of the affected type (Excel, PDF), particularly when browsing the web or reading email. Alternatives to Excel such as OpenOffice or Gnumeric, and/or alternatives to Acrobat such as Foxit, Cabaret Stage, Xpdf, or GSview/Ghostscript may be worth considering.
To be emailed any new alerts as they appear, or to cease being emailed such alerts, send email to securityalerts-request@cs.
![[Valid HTML 4.01 Transitional]](/support/security/valid-html401-blue.png){kind=small}
![[Valid RSS]](/support/security/valid-rss.png)
![[Valid Atom]](/support/security/valid-atom.png)